- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: "best practice" root.sh
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-22-2009 10:26 PM
тАО04-22-2009 10:26 PM
"best practice" root.sh
Executing root.sh does not need to happen to often, I know. But when you have 200 Oracle servers, changes are big "root.sh" has to be executed nevertheless once or more a week (200 servers, 1 patching per year --> more or less 1 server a day)
DBA's don't get root access, period !
We need to find a trick, and I'm convinced that sudo does this trick very well. Maybe also rbac.
I just wanted to ask you as the community for some tipes and tricks, especially about the fact that "root.sh" is writable by oracle-user, so if oracle-user wants to be nasty, he can....
brgds,
Raf L
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-22-2009 10:35 PM
тАО04-22-2009 10:35 PM
Re: "best practice" root.sh
sudo does do the trick as you say but the risk is there with root.sh being editable by the oracle user. I guess it comes down to trust mainly, either trust the dba's to do their job or keep the overhead of running root.sh for them yourselves (which is not the worlds most exciting part of being a sysadmin ;-) ).
If using sudo make sure you enter the full path to most common root.sh's in the sudoers file
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-22-2009 11:03 PM
тАО04-22-2009 11:03 PM
Re: "best practice" root.sh
even though as sysadmins, we generally trust the DBAs and run the script unquestioned, in fact it needs to be scrutinized before each run as some malicious code might get inserted in it.
running scripts as root via sudo is a generally frowned upon practice due to the gaping security holes it introduces.
Good luck
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-23-2009 12:55 AM
тАО04-23-2009 12:55 AM
Re: "best practice" root.sh
The actions root.sh performs are not rocket science. A few chmod, mkdir and cp commands, that's all. The only real reason for root.sh to be executed as user root are these 2 lines:
"$CHOWN root $ORACLE_HOME/bin/dbsnmp"
"$CHOWN root $ORACLE_HOME/bin/oradism"
You could create your own root.sh substitute script, UNWRITABLE but executable for the oracle user, and in the script, you perform the commands with sudo.
That way, you prevent abuse of the root.sh script and you don't have to give your dba's root access.
It may mean that you have to create a few versions because the root.sh script may vary from release to release.
Regards,
Bart
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-23-2009 02:01 AM
тАО04-23-2009 02:01 AM
Re: "best practice" root.sh
I think the best aproach would be to create a new user with root access and password aging for DBA's.
dba's would be required to inform previously sysadmin before root.sh kinds of maintenance.
PS: I'm dba and sysadmin and the me sysadmin has never had reasons for complaints about me dba. ;-)
Best Regards,
Eric Antunes